More user passwords dumped, this time from alleged Billabong.com hack

On the heels of the Yahoo breach, hackers claim to hit the clothing website.

Hackers dumped another huge cache of stolen passwords, this time exposing what they said are as many 35,000 plaintext passcodes from the website of clothing maker Billabong International.

A post on CodePaste.net claimed 20,000 to 35,000 user names and corresponding passwords were retrieved in the hack of billabong.com. But the post included only 1,435 plaintext user credentials and didn't explain the discrepancy. Australia-based Billabong provides the accounts to customers to make frequent online purchasing more easy. The post also included what it claimed were user names and hashed passwords for MySQL accounts used to administer the site.

The post comes less than 24 hours after the discovery of a separate password dump that affected more than 453,000 accounts for Yahoo's Contributor Network (previously Associated Content). In both cases, Web administrators appear to have stored the passwords in plaintext, a practice that is severely frowned upon in the security profession because it makes life much easier for hackers who gain a foothold into a vulnerable system. With only a little extra work, admins could have used Bcrypt or another modern cryptographic algorithm to scramble the passwords into one-way hashes that can't easily be reversed. The hashes may still be cracked, but if the process is done correctly, the protection buys hacked websites enough time to warn users before their plaintext passwords are circulated.

Like most websites with user accounts these days, billabong.com uses email addresses as user names. For those who used the same password for their e-mail—a practice that is increasingly common—the exposure could have far-reaching consequences for compromised Billabong customers. To protect them, Ars Technica isn't publishing the address of the CodePaste link.

The hackers behind the latest dump suggested they may have gained root access to the Billabong servers. The privileged access would have given them unfettered privileges to read, write, or delete files or install new applications. They didn't say how they penetrated the website's defenses. The people behind the Yahoo hack said they used a SQL injection attack. The same technique may also have been used against Billabong.

Representatives of Billabong didn't immediately respond to a request for comment. This article will be updated if a reply is received later.